Here are Aaron's timesheet, peer bonus, deliverables and bio. He is currently at Pacific Time UTC-7, Palo Alto, CA.
Timesheet & Peer Bonus (with giv.one)
| Date | Hours | Tags | Artifacts | Feedback |
|---|---|---|---|---|
354.5 | (...many weeks passed. see open dev log) | |||
1.2 | Token and NFT experimentation and debugging; Client API implentation for token operation | |||
11 | Research on daVinci market; Client: ERC20 grid; Token assets manager; Unified token key compute utility; In-browser IPFS retrieval analysis and benchmark; Client API initialization for token contracts and metadata, and API implementations for metadata retrieval and balance checking for token and NFT contracts; Refactor and modularization of client wallet components; Smart contract support for Override-Track capability; Smart contract optimization for universal deployability (<24K); Smart contract multi-track capability; Client side state management (reducer, saga, actions) for tracking tokens, token balances, and currently selected tokens; Direct support for well known ERC-20 tokens; Infrastructure support for tokens with custom decimal settings; Unifty bn.js dependecy; Multi-network support for token operations and views; Token operation hash and commit hash utilities, and debugging; Auto chaining and auto refresh token balance after commit-reveal flow; Support sending tokens; fix bugs related to reveal token operations; Distinguished UI for sending tokens (re-used from sending ONEs); Various bug fixes; Complete flow demo + verification; | |||
11.2 | NFT Grid, support for both ERC721 and ERC1155, share same underlying token abstraction with ERC20; Support image, animation, and metadata rendering; NFT details toggle; Responsive grid; End-to-end debugging and testing for tokens; Upgrade versions and warning messages for older clients; v0.3 release; Separate view and filtering for ERC20 and NFT grids; Support sending NFT through existing transfer UI; | |||
1 | OTP Input and Refocus code review + revision + bug fixes; Provide feedback; Fix missing name issue for some ERC721 tokens | |||
6.1 | Address critical security vulnerabilities with commit-reveal (#47); Constant-time commit lookup (#3, #4); Implement suggested contract optimizations in Common Prefix preliminary report (immutable variables, unchecked arithmetics); Added NatSpec compliant comments in contract code; Fix an issue with incorrect key computation of tracked tokens; Unify all reveal operations into a single function with different operation types; | |||
299.5 | (many weeks passed, content omitted. see open dev log) | |||
2 | Address user experience issues reported by Boris; Special processing for displaying Harmony Punk; Always show full address and address-tools on header section in desktop view | |||
0.5 | Support for video NFT | |||
1 | Scripts for listing 1wallet deployment transactions and inferring their addresses | |||
1.5 | Miscellaneous fixes (HTTPS certificate, protobuf generation; context menu of onboarding QR code upon tapping); Experimentations on non-standard Google Authenticator settings; Binance withdrawal issue (#127) investigation, reproduction, discussion (9:30pm) | |||
0.5 | Review of Red Packet admin tool proposal, elaboration on NFT metadata and TODO for red packet NFT, and IPFS | |||
1 | More special handling on HarmonyPunk (#128) | |||
1 | Resolve miscellaneous address issue (#130) Further discussion with Binance on withdrawal issue; Relayer: deploy new library contracts only when necessary; NFT: get header only when necessary; | |||
5.5 | Release v0.11.1; Make Swap available to all; Limit contract call operation to respect spending limit; Remove extraneous warnings; Make swap obey spending limit; Fix bug in Wallet Graph library that causes command operations always to fail; Make commit-reveal pace faster; Hide double OTP by default; Added expert mode, which allows the user to use double OTP and freely adjust spending limit | |||
1 | Fix a bug that prevents automatically transfer of tokens upon upgrade (#133) | |||
3 | Red packet design and analysis of alternatives; Complete, detailed implementation and design proposal for red packet; Discussions and open questions | |||
6 | Extending daily limit to spending limit and spending interval; Smart contract library: SpendingManager; Refactor wallet smart contract and upgrade constructor and getters to be more compact and informative; Analyze Harmony Java SDK and resolve Binance withdrawal issue | |||
4.5 | Release v0.12.1; Make all existing components work with spending limit and newly refactored wallet smart contract interfaces (core library, relayer, api, Send, Swap, About, and various other modules) | |||
2.5 | Red packet: Gift tab in wallet; Simplify onboarding messages; Make onboarding QR code intuitive for tapping; Substantially simplify onboarding messages; Added paste-from-authenticator button for mobile view; | |||
1.5 | (Continued) | |||
7 | (Continued) First functional red packet creation, end-to-end; Fix issue with not showing commit-reveal progress correctly whie sending tokens; Fix issues with address labels; Make several critical modules shared, exported components; Fix several library bugs (multi-call encoding, etc.) | |||
5 | (Continued) and research and experiment on Android Google Authenticator issue (#136); Discussions; Refine red packet implementation, flow and debugging | |||
8 | Unwrapping red packet: end-to-end, debugging, and live testing; Smart contract upgrade on nonce and operation time exposure; Various reusable frontend infrastructure component for NFT tracking, display, and management | |||
6.5 | Fix Android failure to scan QR code issue; Automatically cleans up invalid or expired temporary wallets; Enable wallet to display a QR code of its address recognizable by 1wallet QR code scan and general camera scan; Intelligent camera selection for all scanning and mobile support; Enable 1wallet to scan QR code and recognize various formats and intents; Simplify prompt and process to save address for new user onboarding; Added a default, not-owned NFT so new user can experience collectibles; Review and revise haolin's work on QR code image upload; Fit and organize all new features; Various high priority miscellaneous user experience issues | |||
1.5 | Fix QR code scanning error message spamming issue; Added support for scanning red packet QR code; Finalize wallet restore entirely on mobile and making video tutorial; Various discussions, debugging with online users who had issues and those reported at the offline event | |||
4 | Allow advanced settings for red packet (custome message, random factor); Measures to reduce errors from claiming red packet, and show urgency; Relayer error analytics and report; Diagnosis and deep parsing of errors reported by people at offline event | |||
1 | Tests, research, and analysis on various browsers and incognito modes | |||
2.5 | Fix issue #147, #148 (error on restore when local double otp state is inconsistent) | |||
3 | (Continued) and fix the underlying cause of the inconsistent state, ensure double otp to work properly in future versions, and add fallback compatibility / auto-fix for restoring older, inconsitent versions | |||
1 | Offline event feedback review and analysis; debugging | |||
0.5 | Debugging; fix a bug which may cause wallet listing screen to run into infinite loop | |||
1 | Assist on #149, #150, research on #151 and 1:1 integration guidance following #149 | |||
1.5 | Allow integrations to make binary calls directly via hex data | |||
1 | DEX and hackathon integration assistance; Fix a bug where integration calls with zero send-amount would not function; | |||
2.5 | Gnosis integration debugging; Diagnose issues with Jenya arising from local inconsistent state and old wallet version as part of Gnosis integration; | |||
2.5 | Safeguards and tests against using incompatible wallet versions for integrations | |||
6.5 | Track and untrack tokens, NFTs; Direct integration with daVinci and customization based on its unique IPFS, API, and file formats; Mobile view | |||
3.5 | (Continued); Released v0.12.4 | |||
1 | Fix issues that may cause inconsistent state; Diagnosis and debug with Jenya | |||
1 | Gnosis integration finalization with Jenya and demo | |||
0.5 | daVinci NFT purchase IPFS issue further research and adding materials for loading state | |||
0.5 | Gnosis safe integration debugging on multiple environments; Analysis of causes for wallets gone missing | |||
3 | Support Aegis authenticator (#151, #157); Debugging wallet gone missing and bugs in purge routine; Use simple create flow in side menu; Tolerate 30 delay of OTP code; | |||
5.5 | List top 9 ERC-20 assets in wallet home screen (#158); Simplified app-call flow (#159); verify callback domain and whitelist contract and methods (#159); call data decode utility (#159); Hide temporary wallets for app connect. Test and debug Gnosis Safe integrations | |||
2 | Ability to inspect old wallets; Improve wallet About screen; improve Sentry event capturing; Debug IPFS issues and improve NFT visualization robustness | |||
8 | Ability to reclaim domain and tokens from old wallet, debug and testing; Sensisble layout and interactions on wallet about screen; Unify row components; Fix bug with wallet purge to prevent purging partial proofs which are still used by at least one wallet; NFT gateway and display stablity debugging; Reclaim reverse domain | |||
3 | Release v13 (#160); Release notes; Simplify OTP confirmation flow; auto-verify domain in both directions; Fully functional Inspect and Reclaim features | |||
1 | Fix upgrade OTP confirmation bug; Auto copy on address format switching; Mobile friendly wallet title; Auto-spawn temporary old wallets during app-call if needed; Store old wallets in state persistently; 4s retry interval; favicon; Simplified, minimal call screen | |||
3 | (Continued) | |||
1 | Timeless integration and 1wallet library sync | |||
3 | Generalized method for contract and method verification during app call; Tools for add Harmony protocol in MetaMask and to open Harmony Safe; Issue #161 | |||
1.5 | Gnosis Safe code review, development tracking, security analysis, and identify potential backdoors | |||
1.5 | (Continued) | |||
2 | (Continued) | |||
6 | Even mapping extraction scripts; Issue #161, cumulative analysis and debugging; Debugging and fix issues with using old wallets; Dev state dump tool; Remove recovery on recover screen when recovery address is not set; Fix infinite loop on connect; Fix NFT tracking on mobile; Gnosis Safe integration contract interaction debugging and tests | |||
4 | Gnosis Safe SushiSwap Transaction encoder tool; Functional Gnosis Safe SushiSwap end-to-end flow; Improve Swap mobile experience; disable mobile autozoom; add paste button on mobile OTP input; fix global usage stats overflow (use abbreviation); always show address options on wallet title; Hex options on wallet address components; allow displaying and choosing old wallet address and hex addresses in app connect screen | |||
3 | (Continued) | |||
0.5 | General integration advice and debugging and resolving Timeless address conversion issues in Python and Swift | |||
0.5 | Tools with individual URLs and guides; Investigation, analysis, and guidance for issues encountered by Harmony DAO grant recipients; Issues #165, #164; expert mode support for grant recipients | |||
2 | Wallet as Safari extension (macOS 12 / iOS 15) debugging, build, research, analysis, and experiments | |||
4 | Trustless bridge review; Review and feedback to security risk raised by Shshank (re: forging commit); Issue #164 | |||
4 | (Continued) and address issue #166 | |||
1 | Sync with Harmony team re: domain services and use cases | |||
1.5 | Transack integration review and application (#155); Analysis, planning, and feedback to Timeless regarding fiat integration and Apple Pay | |||
0.5 | Analyze and fix QR code compatibility issue (Haodi) and Google Authenticator version history | |||
1.5 | Sync with Transack. Preparation on Transak integration. Plan and acquire resources needed to enable ONE / USD purcahse; Sync with Timeless on fiat integration | |||
2 | Trustless bridge script code review and analysis | |||
5 | Trustless bridge contract code review, analysis, feedback; Comparison with trusted bridge implementations | |||
5.5 | Sync and feedback on Timeless Wallet integration technical issues; Implement fixes for issue #166 and the underlying issues (identifying post-recovery wallets, prevent infinite loop, show warnings, etc.) | |||
2.5 | Re-work notifications; Commit-Reveal progress experience improvement; Mobile experience improvement. Warning for sending to custody-wallet addresses; More #116 | |||
0.5 | Cache global usage stats on client side; Resolve stats count issue (#162) | |||
5 | Transact integration implementation, testing, bug analysis and sync; End-to-end staging and production tests | |||
4 | Milestones, progress and development summaries, planning, public pages, and research on various issues (fiat, Apple Pay, library integration, NFT) | |||
3 | Ethereum trustless bridge audit: code and design review (EthereumProvder, Harmony Prover, Merkle Patricia Tree inclusion and exclusion tests, alternative MPT implementation, javascript invocations and example usage, analysis on fork resistance) | |||
5 | (Continued); Timeless integration and 1wallet library customizations | |||
1 | Ethereum trustless bridge audit: more analysis on correctness of MPT membership test implementation in libraries | |||
4 | (Continued) Merkle Mountain Range related implementations review and analysis | |||
4 | (Continued) and all remaining components and libraries except ethash. Analysis on TokenLockerOnHarmony and concern over lack of MMR | |||
1 | Timeless integration: analysis of onboarding issues, suggestions, tentative solutions and improvements | |||
2 | Analysis, proposals, and planning for wallet renewal (#171), predictable address (#172), and 1wallet light client (#174) | |||
6 | v14 WIP: core replacement logics, new reveal libraries, refacotring contracts to conform size limits, simplifying codes, testing; Timeless integration discussions on upgrade, review of alternative approaches in other projects, and discussion of various integration issues | |||
6 | (Continued) Batch operation support; Relayer upgrade for contract caching, better logging for requests, backoff-retry initialization, | |||
6 | Minimal wallet setup components; Extend wallet frontend infrastructure; | |||
5 | Recovery expiration checks; Recovery frontend bug fixes; 1wallet DAO change; Extend frontend infrastructure, core library hash utilities | |||
3 | (Continued) Extend operation implementation and testing | |||
6 | (Continued) Revamp Extend infrastructure; Script utilities for event and topic hashing; Core API for retrieving old cores; Root management utility and deletion utlities; useWallet and various common components; Contract revamp to allow authentication against old cores (old authenticator roots and times); Firelayerinitialization on Ganache; Wallet expiration checks; Wallet root checks and multi-device check | |||
7 | (Continued) Core library: support loading old roots; Experiments on validating new root and old root belong to same seed | |||
3 | (Continued) Self-code review and address review comments; Fix bugs in new reveal mechanism on multi-core authentication and recovery authentication; | |||
2 | Revamp upgrade messaging and experience | |||
2 | Fiat on ramp refacotring and customized currency selector; Allow skip upgrade version and fix layout bugs | |||
2 | Planning, updates, implementation proposals and analysis, and milestones (#189, #190, #191) | |||
1 | (Continued) | |||
1.5 | Using Harmony Safe with 1wallet: create, deposit, and swap tutorials; ETH bridge report discussion; BTC bridge initial review; Unstoppable domain initial review | |||
7.5 | Predictable address, 1wallet deployment factory, (#172) research on proxy upgrade (#189); Bug fix: recovered wallet is stuck in wallet list | |||
5 | (Continued) | |||
8 | (Continued) and analysis on upgrade mechanism and future directions #189 | |||
6.5 | (Continued) and factory helper, identification hash mechanism for permanent recovery capability, ecrecover on identification hash on contract; major refactoring and structure optimization of contracts | |||
5 | Recovery and Version libraries; Bolster TokenTracker library; Reduce main contract size by 40%; Improve ENS domain and subdomain libraries; Optimize WalletGraph | |||
3 | Core structure enhancement; Setting up inner cores at initialization; Authentication logics against inner cores; Two levels of daily limit adjustment functionalities; Detailed description of design and variable purposes in comments; Relayer new formats for creating new wallets; More efficient commit and reveal from relayer | |||
6 | (Continued) | |||
4 | Core: make OTP seed dual purpose (also serves as private keys), re-work identification hash to comform with public key formats; Completely reworked relayer initialization code; | |||
5.5 | (Continued) fix several issues with factory and deployer helper; fix issues with relayer deployment using factory; | |||
5 | Core library: efficiently building merkle tree with inner cores; inner tree generations; interlaced sha256 hasher | |||
5 | Make all core tests work again; Make new test utils for common procedures (creation, tree generation); Improve tests; Improve core libraries and fix bugs introduced by inner cores | |||
5 | Make most tests use test utils; Factory tests; Make tests use factory; Add more encoder, decoder, and utils in tests | |||
4 | (Continued) and fix bugs in recovery using inner cores | |||
2 | Core construction utilities; refactoring tests | |||
3 | Improved test flow; commit-reveal utilities for larger scale tests; inner core tests; Make tests use salted creation procedure, run deterministically, using separate creation seeds | |||
6 | (Continued) fix core displacement contract bug; pass most significant inner core related tests (core displacement); add null operation parameters and update various other constants; | |||
2 | Pass additional tests for post-core-replacement operations and transfers | |||
6 | Spend limit tests; Various hash computation utilities in core lib; Relayer default spend limit values; Contract: categorize reveal hash compute functions | |||
7 | Client: adapt to new creation flow, compute inner cores in workers, and store appropriately; Optimize inner core tree heigh; Allow relayer to be more adaptive to arguments; Experiment and reduce wallet creation duration | |||
1 | Status review and updates | |||
3 | 1wallet presentations and summary | |||
3 | 1wallet short presentation | |||
1.5 | (continued) presentation appendix | |||
2 | (continued) talk preparation | |||
2.5 | More wallet restoration methods | |||
2 | Review, debug, and test address book changes (#200) and persistent store and synchronization improvements (#199) | |||
1 | (Continued) | |||
1 | Review and debug an issue with swap such that estimate may be off and swap may fail for some pairs (#204) | |||
1.5 | Initial review of staking dashboard code for security issues | |||
5 | Fix liquidity, estimation, execution, and errror handling issues with Swap | |||
3.5 | Review of Chrome Extension Wallet code for vulnerability and further review of staking dashboard | |||
3 | Presentation preparation and rehearsal | |||
1 | Review staking dashboard code injection issues and identify possible places of injection | |||
12 | (Continued) Wallet restoration proto definition; Better restoration guide; Embed predicted address in QR code during creation; OtpSuperStack component; Core library that supports v15 core construction and computing restoration eotp; State management with cache; Component implementation for restoration by 6x6 codes and recovery file handling | |||
7 | (Continued) | |||
4 | State persistence final review and debugging (#199); Export feature review, debugging, and improvements (#202) | |||
2 | State refactoring review and conflict resolution (#209); Further state refactoring cleanup and improvements | |||
6 | (Continued) Bug fixes with core apis with respect to v15 changes; Cache creation code per network; Fix relayer parameters with respect to gas usage to accommodate higher gas consumption in v15; Fix potential errors of component rendering in case of network or wallet errors; Rewrite restoration option messaging and layouts | |||
1.5 | Review and testing of state refactory part 2 (#212) | |||
8 | Customizable RPC endpoints in client; env sample; Fix fallback values in new persistence state layout; Build thief hunter - tools for batch scanning websites that potentially interacts with Harmpny Chrome Extension Wallet; Config the tool and acquire initial scanning results for all validator's websites on mainnet and testnet; Analysis | |||
4 | refine wallet proto; separate restorebyscan component; refine syncrecoveryfile; refine recovery pages and restore pages | |||
2 | Test and fix various issues with Restore: using recovery file, local import, and some compile issues; Review QR code scanner hotfix (#223) | |||
6 | InnerCore tests with snapshots; Fix bug with core construction util; innerCore retrival from contract; RPC config through env; Fix issues with wallet proto; Local export wallet with name; Fix initialization issue in OTPSuperStack; Fix focus issue with OTPStack; Fix various update and functional issues with restore-by-code, sync recovery file, and setting up new code while restoring; Recompile contracts; utilities for retrieving and processing core s ettings from blockchain | |||
2 | (Continued) | |||
3 | EOTPBuilder for encoding multiple OTPs; Exposure of util API in browser; Fix unsynced component data in restore-by-code and set-up-new-code flow, and exception handling; Testing and debugging the flows; Handling local layer storage after the flows | |||
3.5 | Properly auto destroy workers; Auto-cleanup unused inner trees; Override versions in API calls during restore; Add ability to override versions in core libraries during commit and reveal; Debugging notifications for expected OTP, restore process, and other critical steps; Testing and debugging all restore methods | |||
1.5 | Continued testing and debugging, and fixing restore issues; Fully function restore-by-code, end-to-end | |||
1.5 | ||||
3 | Use two-word names and a simple timestamp for wallet names everywhere; Display creation QR code using timestamped wallet name; Restore explanation update; Properly handle wallet names without timestamps and use wallet names with timestamps to guide user selecting the right auth code to use | |||
9 | Auto-load identificationKey from blockchain for wallet initializations; Update core API and instantly initialize all contract instances without Truffle verification; Add more debugging messages in commit-reveal flow; Add debug method in message interface; Adjust camera scan delay;fix a bug where deleteRoot is not deleting tree from storage; added cleanStorage util; Call cleanStorage on wallet list init; fixed a bug where wallets might not be initialized before purging; Use WalletCreateProgress to highlight in-progress stage for wallet creation; Improving guides for Google Authenticator export guide; Show proper wallet names for info pops; Allow workers to build inner trees and add such an option; Use identificationKeys to identify tree to use in core commmit-reveal flow; Make RestoreByScan fully functional; Store localIdentificationKey in RestoreByCodes | |||
4 | (Continued) use .recovery1wallet for recovery files; Use localIdentificationKey to find the right layers to export in local export and import; use new wallet proto in import/export; uniformly use uint8array for secrets/seed; core: use backward compatible init counter value; duplicate seed arraybuffer on processOtpSeed; | |||
2.5 | Review #219, #225, #226; Resolve merge conflict; Fix wallet auto-migration; Use new wallet persistent state layout for restore; auto migrate global state; Cleanup secret-leaking debug message; | |||
6 | Review #224; terminate random worker on unload; more consistent getWallet return value format; add versioning comments for api create; contract: allow DISPLACE to occur with single core when innerCores are unavailable; move contract-code acquisition to routes; set gas limit for factories; Make Upgrade component compatible with v15; | |||
4 | (Continued) | |||
5 | Review #222 (event notifications), #227 (lazy load); Restore: filter id keys for only ecdsa public keys; remove hardcoded addresses for deploy; core flow: separate out deriveEOTP and related functions for external use; relayer: log address of newly deployed lib; Fix event notification messages; | |||
7 | ZKU - dark forest assignment research, design, writeup, and validation of feasibility | |||
2 | (Continued) | |||
2 | Chrome Extension Wallet emergency response and forensic analysis to crosschain movement of funds; Analysis of victim profiles (W, T, R, S, A) | |||
6 | Hacker transaction pattern analysis, Tornado Cash transaction review and tracing; Slowmist engagement and briefing; Staking dashboard and Chrome Extension Wallet version freezing and runtime code sampling | |||
5 | Chrome Extension Wallet incident analysis and report, #1; Whitehat hacker engagement and briefing; Victim profile analysis and identification of common traits | |||
3 | (Continued); More hacker transaction pattern analysis; | |||
1 | Report appendix; Response team briefing and analysis | |||
3 | Chrome Extension Wallet code review: event listener usage and internal API flow | |||
1 | FBI initial briefing | |||
2 | Meeting with Shashank on 1wallet analysis and planning, Chrome Extension incident, and Tornado Cash tracing | |||
2 | More extension code review and analysis (use of local storage and Chrome synced storage, safety of storage usage, research) | |||
2 | Report editing; Aggregation of sate police reports; More code review; Internal briefing on law enforcement engagement | |||
1.5 | Response team internal briefing; FBI group meeting regarding the incident and formulation of next steps | |||
1.5 | Research and analysis on bruteforce difficulty and local storage encryption strength; Hacker tracing discussions | |||
2.5 | Research and analysis on Chrome zero-day issues in 2021 and its role and potential impact in the hacks; Hacker wallet and transaction analysis | |||
3 | Extension code review, exception handling vulnerability analysis, writeup, and internal discussions with Jenya | |||
4 | User agent analysis and discussion; More code review and research on exception handling bulnerability (e.g. potential danger of stack leaking private keys); Simulation of exception under abnormal condition and using debug tools; Internal discussion and writeup | |||
2 | (Continued); | |||
3 | Response team briefing; Runtime extension JS code analysis and interaction with localStorage; Internal discussions on risk and vulnerability | |||
1.5 | Bridge transaction analysis and gas usage analysis; Internal discussions | |||
7.5 | Staking dashboard code review and analysis; internal discussions; Common browsing history analysis tool; Report on common browsing history of victims; | |||
5 | Analysis on potential DNS vulnerability on Netlify and Staking Dashboard; Internal writeup and discussions; Analysis on security of extension build process, and recommnedations; Analysis of event queue processing system in extension code; Hypothesis on potential ways of attacks; Internal discussions; Review of potential hacks | |||
2.5 | Response team briefing; Validation and Aaalysis of RPC log | |||
3 | More validation and analysis on RPC log; Code review on extension active-tab handling and tab-locking mechanism; Analysis and discussion on potential issues | |||
8 | Review and suggestions on incident announcement blog; Heap analysis on memory footprint of private key; Local filesystem analysis, research on extension versioning, event logging, and local filesystem footprint; Fine-grained network traffic analysis and capturing; Frontend fingerprint initial analysis; Internal discussions | |||
4 | More research and analysis on use-after-free vulnerabilities and their potential impact on extension manipulation and private key safety; More network traffic analysis | |||
3 | Research and analysis on (1) Chrome flags' effects on extension security (2) tracking the existence of extension log and possible ways of using them | |||
3 | Tracking unexpected movement of victim funds (J, DK) and result of suspension mechanisms; Internal discussions and analysis; Research on methods of tracking hackers | |||
3 | Further analysis on local storage encryption strength and end-to-end code review; Comparison against MetaMask code and local storage encryption strength; Analysis, report, and internal discussions; Hacking transaction analysis, r,s,v signature analysis and transaction signature's relation to choice of wallets and RPC endpoints | |||
5 | (Continued) | |||
3 | Research and analysis on new victim's report (J); New questionaire design; Further browser history analysis and pairwise comparisons among existing victims; Internal discussions | |||
9 | Victim interview (J) and post-interview analysis with detailed report; Transaction hash and signature recovery / verification and discussions on the discrepencies | |||
4 | 1wallet QR code parser | |||
2 | Research and analysis on npm dependencies vulnerabilities and automated tools for such analysis | |||
4.5 | Responses team briefing; Briefing with Quoc and onboarding; Aggregation and labelling of victim/hacker related addresses and transactions; Discussions and investigations on npm dependencies and potential vulnerabilities; Fingerprint tracking setup and discussions | |||
5 | Tracking and analyzing fingerprints in realtime; Cross-checking existing and new-found vulnerabilities with Quoc; Internal discussions; Review and feedback on hacking incident announcement blog; Investigation and analysis on post-incident interactions between victim and people with suspicious behaviors; | |||
5 | Create, configure, and deploy thiefmonitor - server-side application that continously monitor transasctions from any set of addresses, and sending structured email alerts; Fingerprint and ProtonVPN analysis | |||
2.5 | Response team briefing and internal discussions; Review of Quoc's initial report on security vulnerabilities in extension wallet | |||
2 | Fingerprint tracking and internal discussions and disambigution | |||
4.5 | Extension wallet clickjacking and iframe embedding issue reproduction and investigation; Demonstration and further exploitations on the issue; Internal discussion; Sync with Quoc | |||
6 | Further analysis and investigation into iframe embedding vulnerability; Analysis of property-getter override vulnerability and scope of impact; Security analysis using runtime (minimized), cross-compiled code; Internal discussions; Further IP tracing and fingerprint tracing | |||
2 | Response team briefing; Analysis of IP tracing and linkage of attacks; Analysis of new victim profile (O), browser history, and recent transaction history; Suspect investigation; Extension wallet deprecation planning; Internal discussions | |||
2 | (Continued) Suspect investigation and interview with relevant personnel; Chrome extension security expert engagement; Damage mitigation planning and briefing | |||
1 | Re-evaluation of staked asset migration plan and internal discussion; | |||
3 | Response team briefing; FBI Sync; Extension code review on miscellaneous areas; Evidence gathering, preparation, and analysis on suspec; | |||
2 | (Continued) Tornado cash activity tracing on latest victims; Expansion of fingerprint tracing and IP tracing; More fingerprint analysis | |||
5 | Report #2 (Additional Victims, Frontend Tracing, Backend and RPC Tracing, Log Analysis, Suspect Analysis, Background, History, Interview and Evidence) | |||
4 | Blacklist log analysis and discussion; IP and fingerprint tracing and analysis; Further extension code review | |||
1 | 1wallet design review and sync with Darren | |||
2 | Response team briefing; Node leader log processing | |||
3 | 1wallet v15 pre-release notes | |||
0.5 | Response team briefing | |||
3 | Review and analysis of AnChain report; Internal discussions | |||
1 | 1wallet QR parser: deduplication; write secrets to separate plaintext files; fix some messages and bugs | |||
2 | AnChain sync and report discussions; Response team briefing; New victim interview (MC); Internal discussions | |||
0.5 | Response team briefing | |||
1 | Response team briefing; New victim analysis and next step recommendations (MC); Formulation of special process for large accounts at risk; Internal discussions | |||
0.5 | (Continued) Interview with owners of large accounts at risk | |||
3.5 | Review and debug 1wallet #228 (bundle size reduction), #241 (hotfix of missing styles); Fix bug in core processing util (missing array initialization); Increase timeout in response to RPC instability; Utilities for intelligently producing wallet name hints and make use in every place where names are referred; Create wallet component shared functions regarding before/after commit and preparing proofs; Rearrange balance and spend limit components; Spend limit adjustment components; | |||
6.5 | (Continued) | |||
2.5 | AnChain sync; Response team briefing; Sync with Quoc; Analysis of possible scammer/imposter and linkage of hacks | |||
6 | 1wallet: core flow util: deriveSuperOTP; use deriveSuperOTP in RestoreByCodes; fully functional spend limit adjustment component; | |||
4 | abortion mechanism in event message; Core lib: EOTPDerivation; core util: genOTPStr (for efficient debugging when multiple OTPs are required); Add more verbose logging to relayer; use EOTPDerivation in relevant functions; Revamp spending limit prompts and checking mechanisms; fix bug in remaining limit display in balance page; Fix renew-now link | |||
1 | better organized renew page | |||
6 | fix truffle distinction between dev and ganache; core lib: add sanity check of parameters to makeCore; CoreDisplaced and CoreDisplacementFailed error handlings; use oldInfo's (i.e. previous security parameters / OTP roots on contract) effectiveTime on deriveSuperEOTP; More structured frontend infrastructure utils (useSuperOps, useOpsBase); Fullly functional renewal for v15 | |||
6 | (Continued) check whether wallet hasSuperOTP; Fix issues with upgrade to v15 wallet; clear otp input only when it is nonempty; Restrict non-v15 wallets from adjusting limits; Blacklist some recovery addresses and make 1wallet DAO their recovery address during upgrade; keep react component loaded during restore to ensure wallet parameters are properly passed; Ensure worker parameter has seed; move debug message to debug mode only; Add innerRoots check on localExport; Add fallback params in Upgrade; Use api.harmony.one RPC by default; improve messages related to emitted events; fix metamask tool; remove Chrome extension wallet from readme; Improve renewal messaging; Fix an issue which may cause multiple workers to be created; | |||
1 | Chrome extension wallet incident response: new victim profile (MN), investigation, internal discussions; Emergency responses; Tornado Cash tracing and matching patterns against known hackers and victims | |||
9 | (Continued); 1wallet: Fix some issues which may cause renewal to malfunction or incorrectly make wallet "expired". Fix worker spamming logs; More granular messages and instructions when user access functionalities that require renewed / upgraded wallets; Make upgrade box promptable; Fix a bug in renewal which causes the process to stall; Fix a bug on renewal which old core parameters are used, in lieu of new ones; Implement early terimination to enable much more efficient calls to deriveSuperOTP; Fix zero-valued effectivetime in renewal; | |||
3 | (Continued) Merged and launched v15; fix 6x6 restore failure after a wallet is upgraded and renewed from v14; Full release notes; | |||
2 | Deploying v14 and v15 relayers, setting endpoints and system services; Monitor network stability and debug related issues | |||
4 | Response team briefing; Victim counselling procedure consultation (MN); Further investigation into fingerprints and transaction patterns, based on new data collected from new victims; | |||
0.5 | SecureLayer7 / Cure53 engagement and initial briefing; Internal discussions; | |||
1 | Chrome extension wallet PR 117 review and testing; Sync with Quoc | |||
1 | Sync with Anchain; Response team briefing | |||
1 | Response team internal discussions and planning | |||
1.5 | Engagement with red teams and security firms; Review of all victim and perpetrator addresses, blacklisting states, and movements offunds; | |||
0.25 | Secureworks initial engagement | |||
0.5 | Response team briefing | |||
1 | MyContainer incident review, analysis, and discussion | |||
1.5 | Engagement with private investigators and preliminary exchange of information | |||
3 | Report #3 on theft incidents (New Victims, Perpetrator Tracing, Previous Victims, Suspect, Backend Server Log, Frontend Fingerprints, Total Economical Damage); Analysis of linkage between attacks on multiple victims | |||
1 | Response team briefing | |||
0.5 | Sync with Sukanta and internal discussions | |||
0.25 | Secureworks second and final engagement (not to proceed) | |||
0.5 | VueJS injection vulnerability experimentation | |||
0.5 | Private investigator initial briefing and preliminary assignment of work | |||
0.5 | Response team briefing | |||
0.5 | Experimentation with XSS vulnerabilities in Vue; NDA with SecureLayer7 / Cure53 | |||
0.5 | Analysis of new victim profiles and priorities (unassigned code names) | |||
0.5 | Response team briefing | |||
0.5 | Discussion Matthew for extension wallet code analysis | |||
0.5 | Victim interview and Q&A call (BL) | |||
0.5 | Response team briefing | |||
1 | Reproduction and verification of Quoc's extension build; Review of private investigator preliminary report | |||
0.5 | Response team briefing | |||
0.5 | Coalfire initial engagement and scope discussion | |||
0.5 | Onboarding Matthew for extension wallet vulnerability investigation | |||
0.5 | Victim interview and Q&A call (DD) | |||
0.5 | Response team briefing | |||
1 | Sync with Silent Auth | |||
1.5 | Extension production deployment and hash-verification step-by-step guide; Quick analysis of new victim / incident | |||
1 | New hackathon victim interview, analysis, and recommendation; 1wallet - engagement with Meson team (cross-chain stablecoin bridge integration) | |||
3 | New victim browser history analysis (BL, DD) and manual inspection of all common sites | |||
1.5 | Investigation and analysis of reported suspicious Ethereum trasanction and contract address that invokes Harmony bridge | |||
0.5 | Initial engagement with Merkle Science | |||
0.5 | Research and feasibility study on amount-matching based Tornado Cash tracing techniques and past success stories | |||
0.5 | Response team briefing | |||
0.5 | ||||
1 | Receivng updates from AnChain and discussions of issues and next steps | |||
2.5 | 1wallet, project document: Use Ethereum NFT on Harmony as Avatar | |||
1.5 | (Continued) | |||
1.5 | Review and experimentation of Matthew's vulnerability report #1 | |||
0.5 | Revision on "Use Ethereum NFT on Harmony as Avatar" | |||
1 | Sync with Coalfire | |||
0.5 | Response team briefing | |||
1.5 | Finalization of "Use Ethereum NFT on Harmony as Avatar" | |||
1 | Theft case investigation (lead from Binance related activities) | |||
0.5 | Malware investigation | |||
1 | Anchain finding presentation and discussions | |||
1 | Malware analysis and risk review | |||
1 | Silent Auth proposal evaluation and feedback | |||
1 | Onboarding Michael M and discussions | |||
1.5 | Response team briefing; Investigation on new victim (GU); Emergency response | |||
0.5 | Response team briefing | |||
0.5 | Response team briefing | |||
1.5 | Sync with Timeless; Adjustment of 1wallet v14 RPC endpoint; Performance tests and analysis | |||
0.5 | Revisiting zero-day and UAE vulnerability; Internal discussions; Victim password strength review and analysis | |||
0.5 | Sync with private investigator regarding suspect | |||
0.5 | Evaluation of Project X leads | |||
1 | Sync with Merkle Science on Tornado Cash findings | |||
0.5 | Response team briefing | |||
1 | Evaluation of Project X leads (Xoogler Demo Day projects) | |||
1 | Project X deal sourcing (Xoogler meetup) | |||
1 | Evaluation of Project X prospect DSCAPE, meeting, and internal discussion | |||
0.5 | Evaluation of Project X leads | |||
1.5 | Joint evaluation of Project X prospect Gryphon; 1wallet design sync with Darren | |||
1 | Joint evaluation of Project X prospect C14 | |||
1 | Sync with FBI (with Merkle Science) | |||
1.5 | Preparation and joint evaluation of Project X prospect Protego | |||
1.5 | Joint evaluation of Project X prospect Deepwaters | |||
1.5 | Project X deal sourcing (Xoogler meetup #2) | |||
1.5 | Joint evaluation of Project X prospect HOPR | |||
2 | Research and independent evaluation on MetaLoop; Sourcing Project X leads; Analysis on Webacy | |||
1.5 | Joint evaluation of HexaTorch | |||
1 | Research and offline evaluation on Project X prospect Cytus | |||
2.5 | Diligence meeting with Project X investee C14; Research and diligence on C14 thesis | |||
1 | Research and technical diligence on Project X investee Deepwaters | |||
2 | (Continued) | |||
1 | Silent Auth detailed proposal additional feedback and questions | |||
1 | Diligence meeting with Deepwaters | |||
0.5 | Statement of Work clarification meeting with Coalfire |
